USBGuard
Software framework that protects your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities.
Public Member Functions | List of all members
usbguard::Audit Class Reference

Generates audit events for given policy or device events. More...

#include <Audit.hpp>

Public Member Functions

 Audit (const AuditIdentity &identity)
 Constructs new audit object with given AuditIdentity and hidePII set to false. More...
 
void setBackend (std::unique_ptr< AuditBackend > backend)
 Sets AuditBackend that will be used to commit generated audit events. More...
 
void setHidePII (bool hide_pii)
 Sets whether personally identifiable information such as device serial numbers and hashes of the descriptors (which include the serial number) should be excluded from audit entries. More...
 
AuditEvent policyEvent (std::shared_ptr< Rule > rule, Policy::EventType event)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (std::shared_ptr< Rule > new_rule, std::shared_ptr< Rule > old_rule)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (std::shared_ptr< Device > device, Policy::EventType event)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (std::shared_ptr< Device > device, Rule::Target old_target, Rule::Target new_target)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent deviceEvent (std::shared_ptr< Device > device, DeviceManager::EventType event)
 Constructs new AuditEvent for given device event. More...
 
AuditEvent deviceEvent (std::shared_ptr< Device > new_device, std::shared_ptr< Device > old_device)
 Constructs new AuditEvent for given device event. More...
 
AuditEvent policyEvent (const AuditIdentity &identity, std::shared_ptr< Rule > rule, Policy::EventType event)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (const AuditIdentity &identity, std::shared_ptr< Rule > new_rule, std::shared_ptr< Rule > old_rule)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (const AuditIdentity &identity, std::shared_ptr< Device > device, Policy::EventType event)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent policyEvent (const AuditIdentity &identity, std::shared_ptr< Device > device, Rule::Target old_target, Rule::Target new_target)
 Constructs new AuditEvent for given policy event. More...
 
AuditEvent deviceEvent (const AuditIdentity &identity, std::shared_ptr< Device > device, DeviceManager::EventType event)
 Constructs new AuditEvent for given device event. More...
 
AuditEvent deviceEvent (const AuditIdentity &identity, std::shared_ptr< Device > new_device, std::shared_ptr< Device > old_device)
 Constructs new AuditEvent for given device event. More...
 

Detailed Description

Generates audit events for given policy or device events.

Constructor & Destructor Documentation

◆ Audit()

usbguard::Audit::Audit ( const AuditIdentity identity)

Constructs new audit object with given AuditIdentity and hidePII set to false.

Parameters
identityAudit identity.

Member Function Documentation

◆ deviceEvent() [1/4]

AuditEvent usbguard::Audit::deviceEvent ( std::shared_ptr< Device device,
DeviceManager::EventType  event 
)

Constructs new AuditEvent for given device event.

Sets audit event keys:

  • type=Device.<event type>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit device changes:

  • device insertion
  • device removal
  • device authorization target change

Audit data:

  • who: uid + pid
  • when: time
  • what: insert, remove, authorization target
  • change: old, new
Parameters
deviceDevice where the event occured.
eventDevice event type.
Returns
Audit event.

◆ deviceEvent() [2/4]

AuditEvent usbguard::Audit::deviceEvent ( std::shared_ptr< Device new_device,
std::shared_ptr< Device old_device 
)

Constructs new AuditEvent for given device event.

Sets audit event keys:

  • type=Device.Update
  • device.system_name=<device system name>
  • device.rule.old=<old device rule>
  • device.rule.new=<new device rule>

Audit device changes:

  • device insertion
  • device removal
  • device authorization target change

Audit data:

  • who: uid + pid
  • when: time
  • what: insert, remove, authorization target
  • change: old, new
Parameters
new_deviceNew device.
old_deviceOld device.
Returns
Audit event.

◆ deviceEvent() [3/4]

AuditEvent usbguard::Audit::deviceEvent ( const AuditIdentity identity,
std::shared_ptr< Device device,
DeviceManager::EventType  event 
)

Constructs new AuditEvent for given device event.

Sets audit event keys:

  • type=Device.<event type>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit device changes:

  • device insertion
  • device removal
  • device authorization target change

Audit data:

  • who: uid + pid
  • when: time
  • what: insert, remove, authorization target
  • change: old, new
Parameters
identityAudit identity.
deviceDevice where the event occured.
eventDevice event type.
Returns
Audit event.

◆ deviceEvent() [4/4]

AuditEvent usbguard::Audit::deviceEvent ( const AuditIdentity identity,
std::shared_ptr< Device new_device,
std::shared_ptr< Device old_device 
)

Constructs new AuditEvent for given device event.

Sets audit event keys:

  • type=Device.Update
  • device.system_name=<device system name>
  • device.rule.old=<old device rule>
  • device.rule.new=<new device rule>

Audit device changes:

  • device insertion
  • device removal
  • device authorization target change

Audit data:

  • who: uid + pid
  • when: time
  • what: insert, remove, authorization target
  • change: old, new
Parameters
identityAudit identity.
new_deviceNew device.
old_deviceOld device.
Returns
Audit event.

◆ policyEvent() [1/8]

AuditEvent usbguard::Audit::policyEvent ( std::shared_ptr< Rule rule,
Policy::EventType  event 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.<evenType>
  • rule.id=<rule ID>
  • rule=<rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
ruleRule to audit.
eventEvent to audit.
Returns
Audit event.

◆ policyEvent() [2/8]

AuditEvent usbguard::Audit::policyEvent ( std::shared_ptr< Rule new_rule,
std::shared_ptr< Rule old_rule 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Update
  • rule.id=<old rule ID>
  • rule.old=<old rule>
  • rule.new=<new rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
new_ruleNew rule to audit.
old_ruleOld rule to audit.
Returns
Audit event.

◆ policyEvent() [3/8]

AuditEvent usbguard::Audit::policyEvent ( std::shared_ptr< Device device,
Policy::EventType  event 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Device.<evenType>
  • target=<device rule target>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
deviceDevice where the event occured.
eventEvent to audit.
Returns
Audit event.

◆ policyEvent() [4/8]

AuditEvent usbguard::Audit::policyEvent ( std::shared_ptr< Device device,
Rule::Target  old_target,
Rule::Target  new_target 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Device.Update
  • target.old=<old rule target>
  • target.new=<new rule target>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
deviceDevice where the rule target has changed.
old_targetOld rule target.
new_targetNew rule target.
Returns
Audit event.

◆ policyEvent() [5/8]

AuditEvent usbguard::Audit::policyEvent ( const AuditIdentity identity,
std::shared_ptr< Rule rule,
Policy::EventType  event 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.<evenType>
  • rule.id=<rule ID>
  • rule=<rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
identityAudit identity.
ruleRule to audit.
eventEvent to audit.
Returns
Audit event.

◆ policyEvent() [6/8]

AuditEvent usbguard::Audit::policyEvent ( const AuditIdentity identity,
std::shared_ptr< Rule new_rule,
std::shared_ptr< Rule old_rule 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Update
  • rule.id=<old rule ID>
  • rule.old=<old rule>
  • rule.new=<new rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
identityAudit identity.
new_ruleNew rule to audit.
old_ruleOld rule to audit.
Returns
Audit event.

◆ policyEvent() [7/8]

AuditEvent usbguard::Audit::policyEvent ( const AuditIdentity identity,
std::shared_ptr< Device device,
Policy::EventType  event 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Device.<evenType>
  • target=<device rule target>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
identityAudit identity.
deviceDevice where the event occured.
eventEvent to audit.
Returns
Audit event.

◆ policyEvent() [8/8]

AuditEvent usbguard::Audit::policyEvent ( const AuditIdentity identity,
std::shared_ptr< Device device,
Rule::Target  old_target,
Rule::Target  new_target 
)

Constructs new AuditEvent for given policy event.

Sets audit event keys:

  • type=Policy.Device.Update
  • target.old=<old rule target>
  • target.new=<new rule target>
  • device.system_name=<device system name>
  • device.rule=<device rule>

Audit policy changes:

  • rule append
  • rule remove
  • rule update
  • policy parameter change

Audit data:

  • who: uid + pid
  • when: time
  • what: append, remove, update
  • update: old, new
Parameters
identityAudit identity.
deviceDevice where the rule target has changed.
old_targetOld rule target.
new_targetNew rule target.
Returns
Audit event.

◆ setBackend()

void usbguard::Audit::setBackend ( std::unique_ptr< AuditBackend backend)

Sets AuditBackend that will be used to commit generated audit events.

Parameters
backendAuditBackend to use for commiting audit events.

◆ setHidePII()

void usbguard::Audit::setHidePII ( bool  hide_pii)

Sets whether personally identifiable information such as device serial numbers and hashes of the descriptors (which include the serial number) should be excluded from audit entries.

Parameters
hide_piiIf true then personally identifiable information will be excluded from audit entries.
The documentation for this class was generated from the following files:
Generated by   doxygen 1.8.15